7

Emails from our servers sent to Mimecast are being "temporarily rejected" due to greylisting.

Mimecast has docs on this; they say that every time they see a unique IP and sender, they greylist the IP temporarily. They recommend to keep retrying and eventually the IP should get greylisted.

We've configured our Postfix to do this. All bounced emails get retried a few times but Mimecast is not removing us off their greylist.

Our domain has properly configured PTR and SPF records. The IP is also not blacklisted anywhere.

Here is our Postfix configuration:

maximal_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m

I have also contacted them but I am going to assume they will never reply because we are not Mimecast customers.

How do we go about getting off their greylist?

RainSear
  • 231
  • 1
  • 3
  • 5

1 Answers1

15

They recommend to keep retrying and eventually the IP should get greylisted. We've configured our Postfix to do this. All bounced emails get retried a few times but Mimecast is not removing us off their greylist.

If you will forgive me, I'm not sure you quite understand greylisting. As Mimecast's docs say, the identifier for a greylisting decision is a triplet:

  • IP address of the host attempting the delivery
  • Envelope sender address
  • Envelope recipient address

When delivery is attempted of an email with a previously unseen triplet, greylisting should temporarily knock it back. When that particular email tries to be redelivered from the same server, it should be accepted, and that specific triplet gets written to a temporary whitelist.

Further emails with the same triplet arriving within the lifetime of the whitelist entry should be delivered. If you have evidence of any of this not happening, it would be of interest.

But further emails from other senders at your domain, or to different recipients, should quite properly be greylisted. Your server doesn't suddenly get carte blanche to send emails simply because it successfully delivered a single piece of mail.

Most recipients do not choose to greylist based on the existence of valid SPF and/or PTR records, nor your IP's presence on blacklists (or the lack thereof), so your accomplishments there—whilst likely to be of help further down the anti-spam chain—are probably not relevant to greylisting.

Greylisting is generally applied to all incoming email, though some implementations do exempt any email that arrives under cover of SMTP TLS, presumably reasoning that very few fire-and-forget bots can properly do TLS (yet).

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • 2
    Correct to all above points. If you want your domain to be safelisted at a given recipient's domain, reach out to their mail admins to add your domain to the Permitted Senders list. Mimecast will absolutely not do this for you on behalf of all of their clients. – mfinni Dec 31 '15 at 02:41
  • Got it, thank you. My understanding of greylisting was indeed incorrect. – RainSear Dec 31 '15 at 04:01